CVE-2020-15602

Published: Jul 15, 2020Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An untrusted search path remote code execution (RCE) vulnerability in the Trend Micro Secuity 2020 (v16.0.0.1146 and below) consumer family of products could allow an attacker to run arbitrary code on a vulnerable system. As the Trend Micro installer tries to load DLL files from its current directory, an arbitrary DLL could also be loaded with the same privileges as the installer if run as Administrator. User interaction is required to exploit the vulnerbaility in that the target must open a malicious directory or device.

Affected (4)

Products: Trendmicro: Antivirus+ 2020, Internet Security 2020, Maximum Security 2020, Premium Security 2020

Trendmicro

4 products

Antivirus+ 2020

Internet Security 2020

Maximum Security 2020

Premium Security 2020

Configuration A

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Trendmicro Antivirus+ 2020	Up to 16.0.1146
Trendmicro Internet Security 2020	Up to 16.0.1146
Trendmicro Maximum Security 2020	Up to 16.0.1146
Trendmicro Premium Security 2020	Up to 16.0.1146

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

CWE-426

Untrusted Search Path

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (2)

https://helpcenter.trendmicro.com/en-us/article/TMKA-09644

Source: security@trendmicro.com

Vendor Advisory

https://helpcenter.trendmicro.com/en-us/article/TMKA-09644

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.